cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted

Identity Collector - Cisco ISE SXP mappings support

Hi,

I've been doing some testing with an R80.20 gateway, Identity Collector and Cisco ISE 2.4 pxGrid.

I've managed to interconnect these components so the basic communication is working fine (the certificate setup is quite cumbersome to be honest).

I'm am trying to get SXP-learned IP-SGT mappings into the CP IA blade, but it seems the identity collector is not picking these up. Does this mean that identity collector will only learn IP-SGT mappings from dynamic user sessions and not from SXP-learned IP-SGT mappings?

E.g. I've got the following static mapping on my test switch:

cts role-based sgt-map 172.20.21.151 sgt 6

Which is then learned over SXP by ISE:

I've tried adding and removing the mappings as well but no mappings are being received on the collector, even though it is fully connected to pxgrid (and has an approved connection).

The identity collector does not seem to receive these SXP mappings at all... the ISE is set to publish these on pxgrid:

If this is not supported right now, is this on the roadmap?

Thanks,

Tom.

cisco ise  

17 Replies

Re: Identity Collector - Cisco ISE SXP mappings support

Did you follow this steps in Identity Collector Reslese Notes ? 

---

4. Optional: If you want to enforce the Cisco Security Groups Tags (SGTs) on the Gateway:
a. In the Users and Administrators menu, click Create Group > User Group > New Group.
b. Name the new group: CSGT-<SGT_NAME>.
c. Assign the group to an Access Role.
5. Install policy.

0 Kudos

Re: Identity Collector - Cisco ISE SXP mappings support

Hi, I used the new "Identity Tags" feature instead. cfr https://community.checkpoint.com/thread/8800-how-to-use-identity-awareness-tags-in-r8020m1 

0 Kudos

Re: Identity Collector - Cisco ISE SXP mappings support

Could you share what you did with certificates?

I’m struggling with it also and not getting much support from our ISE admins.

0 Kudos

Re: Identity Collector - Cisco ISE SXP mappings support

Yes, it is pretty messy to get working.

I basically generated a self signed client certificate from the ISE web interface (Adminstration -> PXgrid Services -> Certificates).

Converted that p12 file to .jks with "keytool" (you need the Java SDK installed for that)

$ keytool -importkeystore -srckeystore win2016-1.lab.p12 -destkeystore client.jks -srcstoretype PKCS12
Importing keystore win2016-1.lab.p12 to client.jks...
Enter destination keystore password:
Re-enter new password:
Enter source keystore password:
Entry for alias win2016-1.lab_ successfully imported.

Also exported the pxgrid ISE certificate, converted that to DER with openssl

$ openssl x509 -outform der -in OUCertificateServicesSystemC.pem -out iselab.der

And then converted that to a .jks with Java Keytool:

$ keytool -import -alias ise.lab -keystore server.jks -file iselab.der
Enter keystore password:
Re-enter new password:
Owner: CN=ise.lab, OU=Certificate Services System Certificate
Issuer: CN=Certificate Services Endpoint Sub CA - ise
Serial number: 53b3e07890554133b93b0e9d3fb77d93
Valid from: Thu Nov 22 08:45:29 CET 2018 until: Thu Nov 23 08:45:24 CET 2028
Certificate fingerprints:
SHA1: 92:87:FA:0E:E5:62:1B:46:3A:15:00:13:3E:F1:7D:78:4D:78:F4:ED
SHA256: F2:F4:80:2F:DD:4B:6F:24:03:66:32:5A:6A:87:48:C1:DF:0B:CC:A1:ED:E3:80:94:AD:AA:BD:0B:40:7D:1B:41
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 4096-bit RSA key
Version: 3

Extensions:

#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 7B AE 66 EA 2F 60 6F 61 FA 12 64 4E BF 74 52 FD ..f./`oa..dN.tR.
0010: 32 AD BE 88 2...
]
[CN=Certificate Services Node CA - ise]
SerialNumber: [ 1d51f5ee bb2445aa 9328ac72 6a7858a1]
]

#2: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:false
PathLen: undefined
]

#3: ObjectId: 2.5.29.37 Criticality=true
ExtendedKeyUsages [
serverAuth
clientAuth
]

#4: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Non_repudiation
Key_Encipherment
]

#5: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 20 86 63 F5 C1 02 3F 1D 8D 45 41 74 15 A6 C4 48 .c...?..EAt...H
0010: 63 F5 31 41 c.1A
]
]

Trust this certificate? [no]: yes
Certificate was added to keystore

I then used these certificates in the Identity Collector setup. You also have to "approve" the pxgrid client in ISE (also under "Pxgrid services" the first time it connects.

I had some issues to make it connect, but that was caused by the fact that I had not added the ISE to a query pool in Identity Collector. It will not connect if it is not part of a query pool...

Good luck,

Tom.

Re: Identity Collector - Cisco ISE SXP mappings support

Thanks, now it's clear with certs, i was not aware that from pxgrid ISE certificate provided and was trying to use same cert for client/server.

0 Kudos

Re: Identity Collector - Cisco ISE SXP mappings support

Well the pxgrid api doc speaks of generating the client cert on the client, that probably will work as well but you definitely need a different cert for client and server...

0 Kudos

Re: Identity Collector - Cisco ISE SXP mappings support

Hi!

Is there a way to push the collector to connect to ise?

0 Kudos

Re: Identity Collector - Cisco ISE SXP mappings support

You need to create query pool for that..

0 Kudos

Re: Identity Collector - Cisco ISE SXP mappings support

I did, and also tied the query pool to the gateway. The collector and gateway are connected, but ISE does not show any attempts from the identity collector to connect, there are no pending requests... Now I did issue a client cert without CSR, I do not know if that matters...

0 Kudos

Re: Identity Collector - Cisco ISE SXP mappings support

Did you ever get your issue resolved?

I think we are in the same situation, I've created the client and server certificates (jks) and created the identity source and added it to a Query Pool, but no luck.

Wireshark shows that there is no trafik to or from our ISE.

 

Edit: Nevermind, hadn't installed JRE...

0 Kudos

Re: Identity Collector - Cisco ISE SXP mappings support

Reading all this i would rather suggest to involve TAC in configuration...

0 Kudos

Re: Identity Collector - Cisco ISE SXP mappings support

They will not support with generating certs on ISE for sure  as documentation state, "follow Cisco pxGrid documentation"

Re: Identity Collector - Cisco ISE SXP mappings support

What i meant was help by TAC to get SXP-learned IP-SGT mappings into the CP IA blade, the certs for communication were configured successfully already - did you not read the original question ?

0 Kudos

Re: Identity Collector - Cisco ISE SXP mappings support

Well, I doubt Cisco TAC will want to help with the way a checkpoint product (identity collector) consumes SXP IP-SGT mappings. Also, this is a test lab setup for which I have no support contract... I was just hoping some of the checkpoint developers would be able to confirm if it is supported or not 😉

0 Kudos

Re: Identity Collector - Cisco ISE SXP mappings support

I have never talked of Cisco TAC here in community.checkpoint.com, but of CP TAC and can not understand why you do assume something else - but if you do not have any support contract and no CP customer in the back that needs this configured you are very well off and can just forget about this as an academic issue...

0 Kudos

Re: Identity Collector - Cisco ISE SXP mappings support

My mistake, when you say "TAC" I immediately think of Cisco TAC 😉

0 Kudos

Re: Identity Collector - Cisco ISE SXP mappings support

As i do nothing with Cisco, for me it is always CP TAC 😉